Fixed Bug #63581 Possible buffer overflow

In fpm-log, possible buffer overflow. Check for length is done at
the beginning of the loop, so is not done when overflow occurs
on the last loop (len = 1024 or 1025). (ack from fat).

This issue where found from by static code analysis tool and, so,
I can't provide any reproducer.

diff --git a/NEWS b/NEWS
index eb4238ab78c976807a62ab0f2fc2a5a48f8ef54d..08da27c53e66dfc2c72b0357646791b6b509761b 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -21,6 +21,9 @@ PHP                                                                        NEWS
   . Fixed bug #63590 (Different results in TS and NTS under Windows).
     (Anatoliy)
 
+- FPM:
+  . Fixed bug #63581 Possible null dereference and buffer overflow (Remi)
+
 - Imap:
   . Fixed Bug #63126 DISABLE_AUTHENTICATOR ignores array (Remi)
 

diff --git a/sapi/fpm/fpm/fpm_log.c b/sapi/fpm/fpm/fpm_log.c
index 69bd31b1135c7bbca51b7505e1b298a6b702ca98..6b014b5005a154cd9fd3c6abe91d89159a36a551 100644 (file)
--- a/sapi/fpm/fpm/fpm_log.c
+++ b/sapi/fpm/fpm/fpm_log.c
@@ -96,7 +96,7 @@ int fpm_log_init_child(struct fpm_worker_pool_s *wp)  /* {{{ */
 int fpm_log_write(char *log_format TSRMLS_DC) /* {{{ */
 {
        char *s, *b;
-       char buffer[FPM_LOG_BUFFER];
+       char buffer[FPM_LOG_BUFFER+1];
        int token, test;
        size_t len, len2;
        struct fpm_scoreboard_proc_s proc, *proc_p;
@@ -146,9 +146,10 @@ int fpm_log_write(char *log_format TSRMLS_DC) /* {{{ */
        s = log_format;
 
        while (*s != '\0') {
-               if (len > FPM_LOG_BUFFER) {
+               /* Test is we have place for 1 more char. */
+               if (len >= FPM_LOG_BUFFER) {
                        zlog(ZLOG_NOTICE, "the log buffer is full (%d). The access log request has been truncated.", FPM_LOG_BUFFER);
-                       len = FPM_LOG_BUFFER - 1;
+                       len = FPM_LOG_BUFFER;
                        break;
                }